Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Wednesday, July 26, 2017

The potential
for fake news to turn viral using social media is quite real. There have been
several instances where rumors have incited mob violence between rival
communities. The consequence got out of hand when illiterate tribals in a remote
Indian district received a Whatsapp message which claimed that children could
be kidnapped by a gang and their body parts sold. The message went viral in
these villages and mobs of upto 500 people pounced on strangers who they
suspected to the child kidnappers, in all there were two incidents where 7
people were lynched.

It is quite
apparent to every cybercitizen that fake or distorted news is on the rise.
Social media allows every individual a platform to disseminate such news or
information. Fake news is routinely posted for vested interest such as
political distortion, defamation, mischief, inciting trouble and to settle
personal problems.

As aptly illustrated in the case above, when
fake news goes viral the ill effects escalate to a point where they can cause
physical damage, loss of life or long-term animosity between sections of society.
Purposely-crafted fake/distorted news introduced over periods of time by vested
interests can distort perspectives and social harmony. Such news is effectively
used for ideological indoctrination.

Creation of
fake news is extremely simple. Listed below are six commonly used methods

·Individuals
concoct their own stories

·Marketers
release competitive advertisements based on unproven data

·Groups
with vested interests manipulate the volume and narrative of news.

·Photographs
are morphed

·Old
photographs are used to depict recent events

·Real
photographs are used to defame

Obviously, it
is also quite easy to catch the perpetrator. A few years back, a twitter hoax
was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours
or any other type of content that results in incitement or defamation attract
stronger penalties and jail terms. Police are more aware and vigilant.

Most cybercitizens
unwitting help fake news go viral by recirculating it. It creates a sense of
belief that it must be true because the other person must have validated the
news before sending it.

Pause before forwarding, Evaluate veracity and then Forward.
Do not be that link in
the chain responsible for the circulation of Fake News

Cybercitizens,
do take care when crafting messages on social media – a little mischief may
provide you a few years in government paid accommodation – Jail. Advise your
children to be responsible and do cross check news received over social media
before recirculating or believing in it.

Monday, July 24, 2017

The question of
whether privacy is a fundamental right is being argued before the honorable
Supreme Court of India. It is a topic to which a young India is waking up too.
Privacy is often equated with Liberty, and young Indians wants adequate
protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group
to seclude themselves, or information about themselves, and thereby express themselves selectively. There
is little contention over the fact that privacy is an essential element of
Liberty and the voluntary disclosure of private information is both part of
human relationships and a digitized economy.

The reason for
debating data privacy is due to the inherent potential for surveillance and
disclosure of electronic records which constitute privacy such as sexual
orientation, medical records, credit card information, and email.

Disclosure
could take place due to wrongful use and distribution of the data such as for
marketing, surveillance by governments or outright data theft by cyber
criminals. In each case, a cybercitizens right to disclosure specific information
to specific companies or people, for a specific purpose is violated.

Citizens in
western countries are legally protected through data protection regulation. There
are eight principles designed to prevent unauthorized use of personal data by
government, organizations and individuals

Lawfulness, Fairness & Transparency

Personal data need to be processed based on the consent
given by data subjects. Companies have an obligation to tell data subjects
what their personal data will be used for. Data acquired cannot be sold
to other entities say marketers.

Purpose
limitation

Personal data collected for one purpose should not be used
for a different purpose. If data was collected to deliver an insurance
service, it cannot be used to market a different product.

Data
minimization

Organizations should restrict collection of personal data
to only those attributes needed to achieve the purpose for which consent from
the data subject has been received.

Accuracy

Data has to be collected, processed and used in a manner
which ensures that it is accurate. A data subject has to right to inspect and
even alter the data.

Storage
limitation

Personal data should be collected for a specific purpose
and not be retained for longer than necessary in relation to this purposes.

Integrity
and confidentiality

Organizations that collect this data are responsible for its
security against data thefts and data entry/processing errors that may alter
the integrity of data.

Accountability

Organizations are accountable for the data in their
possession

Cross
Border Personal information

Requirements.

Personal
information must be processed and stored
in secured environment which must be ensured if the data is processed
outside the border of the country

It is important
for cybercitizens to understand their privacy rights particularly in context of
information that can be misused for financial gain or to cause reputational
damage.

These scams
earned between 4 lakhs to 1.2 crore rupees (6000 – 200000 USD). Victims were
women in their 30’s who had posted their profiles on matrimonial portals. They
were emotionally blinded and trusted the online relationship.

The scams used
in reported cases in The Times of India, July 20, 2017, were custom harassment,
gift clearance or urgent need of money due to a financial or medical emergency.

31 year old nurse

Conned to accept a
parcel that apparently was to contain 15000 GBP ( approx. 12 lakhs)

Paid Rs 4.2 Lakhs ( 6000
USD) to a fake courier company

40 year woman

Conned to bail her
suitor out of a sticky payment at the customs

Paid 74 lakhs (11000 USD)
into several accounts

Young Woman

Conned to bail out her
UK based suitor as custom officials had caught him carrying a lot of pounds

Paid Rs 4.8 Lakhs (7000
USD)

35 year old woman

Conned into supporting
an allegedly US based suitor out of his financial difficulties

Paid Rs 1.2 Crore (184000 USD)

40 year old woman

Conned into bailing out
her UK suitor due to a sticky payment at customs

Paid Rs 4.65 Lakhs (7000
USD)

There will be a
large number of unreported scams as they involve threats of defamation using
explicit photos or video’s shared during the relationship.

I would again
remind cybercitizens, that conmen actively target you, use social engineering
techniques to gain your trust, and know how to hide themselves on the Internet.
These conmen are often difficult to trace or it is simply too expensive to do
so.

My
recommendation is to use common sense when in an untrusted and unverified
relationship. Any request for money should sound a loud buzzer in your brain. Do
not also share content of sexual nature which could later be used against you.

A doctor called a shared ride cab to drive him to the private hospital
where he worked. The shared ride arrived on time, but instead of taking the
doctor to his destination, the driver threatened the doctor and kidnapped
him. The OLA cab driver, in turn posted
a ransom request of Rs 5 Crore (750,000 USD) to the shared ride company, even
calling up the hospital were the doctor worked to pressurize the company into
paying. The Delhi police, were successful after a 13 day chase to free the
doctor unharmed and nab the kidnapper.

The motive for
the kidnapping was to teach the shared ride company a lesson as they were
miffed due to alleged nonpayment of incentives.

The incident
simply highlights the damage disgruntled employees can cause, many a times due
to uncontrolled emotions. While the kidnapping seems to be one of a kind,
incidents caused by employees in the workplace is quite common. In the early
days, it used to be sabotage of plan and machinery, but in a digital world it
is the theft of IP, data or even online defamation of the company and its
personnel.

Monday, July 17, 2017

As the digital
world explodes with a variety of new online services, cyber threats have become more
ingenuous, dangerous, and spawned multiple variants and types. As
each new threat makes the headline, the accompanying set of threat specific security
recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change
frequently.

There are twelve foundational security practices that will help keep you and your family safe.
Practicing them will harden your defenses against cybercrime and also reduce the
negative effects of social media use.

1)Thou
shalt not use a device with pirated software

Pirated
software is not patched as it is unlicensed. Unpatched software have security
vulnerabilities which can be easily exploited to steal data and credentials

2)Thou
shalt not use a device which is not set for automatic updates of Operating
System patches

Automatic
patching for personal devices is the best way to ensure that the latest
security patches are applied and security loopholes closed before
cybercriminals can get to them

3)Thou
shalt not use a device without updated antimalware (antivirus) software
installed

Antimalware
software reduces the probability of a malware infection (e.g. ransomware) on
your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)Thou
shall not download pirated movies, games and other such material

Something
free may turn out to be expensive, both financially and to your reputation.
Malware is usually bundled with pirated content or applications

5)Thou
shall not use a site without trying to verify its authenticity

Authenticity
of a site can be verified by the Lock Icon and accompanying digital certificate.
While not fool proof, it reduces the possibility of spoofed lookalike sites
designed to steal your credentials

6)Thou
shall not ignore inappropriate content on social networks, always report or dislike
it

Inappropriate
content influences the minds of our children as they stumble upon it online.
Hate content in particular may induce biases which take a long time to reverse.

7)Thou
shalt not indulge or encourage cyber bullying online

A
parent or teacher has the additional responsibility of guiding children on the
right online behavior. You do not want your children to bully or be bullied

8)Thou
shalt not use passwords that can be easily guessed and promise to keep the password a secret

Try
to choose complex passwords, do not reuse them on multiple sites and always
store them securely. The easiest way to get into your online accounts is by
stealing your passwords

Try
to check the authenticity of the email. Electronic communication is easily
manipulated, as it is difficult to verify the authenticity of the sender. Scams
like these can cost you money and affect your health.

10)Thou
shall not forsake your responsibility of helping your older parents or young
kids to be safe as they use the internet

Be
a guide and easily available as both old and young learn to use the internet
and face cyber risks. Being available, requires that you can be reached for
instant advice on problems they encounter

11)Thou
shalt never trust a stranger blindly online

Always
be suspicious when dealing with online strangers. At any point during the
relationship never let down your guard. The identity of an online person cannot
be easily verified. It can however be easily manipulated. Online friends
sometimes have the vilest of intention which can lead to all forms of blackmail,
particularly if they have incriminating pictures and videos. Besides adults,
young children are potential victims

12)Thou
shalt not set a weak password for your mobile phone or keep it unlocked

A
stolen phone with an easy to guess password or if unlocked, is a sure
invitation into all your signed in accounts and personal data. A large number
of phones are left unattended or lost each year.

Friday, February 10, 2017

Frequently we
hear of large data breaches from email, social networking, news and other types
of websites which we are members off.
Many of us may have been challenged by the site owner to change our
password when the site suffered a breach and would even have received a breach notification
email.

It would
however be useful to have a service which could tell us if our passwords were
available in plain text online, anytime we wished. The good news is that a
security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/ Here you
could enter your email id (a common login credential) and find out if the
corresponding password was exposed on breached sites. The bad news is that it covers only data breaches
where the hacker has dumped the compromised list of passwords on paste sites
such as PasteBin. This represent a small fraction of the passwords exposed and
in all probability allowed a window of time for the hacker to gain access to
your account before the breach was uncovered. It also allows anyone (friend,
foe, bully, ex-partner, relative, competitor and colleague) who knows your
email id to check for the password, and selectively target you.

My advice to
all Cybercitizens in general but more specifically after you discover that your
password has been exposed is to”

1.Never
reuse that exposed password and to never reuse password on multiple sites. A
single exposure can have a cascading effect in the compromise of your online
assets. If you have used the same password on multiple sites then quickly
change the password on all of them.

2.To use
two factor authentication which a large majority of sites offer to limit the
use of disclosed passwords

3.To
change your passwords once every 3 months to limit the exposure window. In
large dumps the hacker may take time to target your account and if you have changed
your password by then, you would get lucky

4.To quickly
change passwords once you are aware that there has been a breach

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo